World

Dubai has enacted a new data protection law that replaces the current privacy law, law N. 1 of 2007. The new 50-page law, which modernizes the current data protection law, will come into effect on July 1, 2020, at which time the pre-existing law and all related regulations will be repealed.

The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DIFC Law No. 5 of 2020) was enacted on June 1, 2020 by His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, in capacity as the Ruler of Dubai. Like its predecessor, the geographic scope of the law is limited to the Dubai International Financial Centre (DIFC) rather than the entire territory of the Dubai emirate.

The new law introduces concepts of accountability, and enhances individuals’ control over their personal data. It also provides for fines for data breaches. According to its Article 5, the purpose of the law is to provide standards and controls for the processing and free movement of personal data, and to protect the fundamental rights of the data subjects. Interestingly, Article 5 also specifies that the purpose of the law is to protect the fundamental rights of data subject “including how such rights apply to the protection of personal data in emerging technologies.”

Overview

DIFC Law No. 5 of 2020 takes into accounts principles found it other well-known data protection laws, such as the EU General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law (LGPD), and the California Consumer Privacy Act (CCPA). According to the official press release, the modernization of the data protection legal landscape of the DIFC signals its ambition to apply for adequacy recognition by the European Commission and other jurisdictions, which would ease global data transfers for DIFC-based businesses.

(more…)

Francoise Gilbert

Cloud service providers and users are becoming aware that data or communications held in the cloud may be subject to requests for access by third parties such as a government conducting an investigation, or a party involved in a lawsuit. Requests for access by law enforcement, intelligence and secret services are governed by very complex rules, and predictably, these rules differ from country to country.

A program sponsored by Box and the Cloud Security Alliance, and held in conjunction with the RSA San Francisco 2013 Conference, featured European and North American attorneys specializing in information privacy and information security, in a discussion of the laws that regulate government access to cloud data. (more…)

Francoise Gilbert

Data privacy and security issues, laws and regulations are published, modified and superseded at a rapid pace around the world. The past ten years, in particular, have seen a significant uptake in the number of laws and regulations that address data privacy or security on all continents. On March 1, 2013, a program held at Santa Clara University’s Markkula Center for Applied Ethics, titled “Hot Issues in Global Privacy and Security”, featured attorneys practicing on all continents who provided an update on the privacy, security and data protection laws in their countries.

The second half of the program featured a panel moderated by Francoise Gilbert, where the chief privacy counsel or chief privacy official of McAfee, Symantec and VMWare talked about how to drive a global privacy and security program in multinational organizations.

Videos of the program are available by clicking here.

The program was the second part of a two-day series of events. The first program was held in San Francisco on February 28, 2013, and was sponsored by Box, Inc. and the Cloud Security Alliance. This program focused on Government Access to Cloud Data and started with an overview of the laws that regulate US government access to data, presented by Francoise Gilbert. A panel featuring European and North American attorneys followed; they discussed the equivalent laws in effect in their respective countries. The program concluded with a presentation by the general counsel of Box, Inc., who spoke about the way in which his company responds to government requests to access to data stored by his company.

Videos of this program are available by clicking here.

Francoise Gilbert

A program held in conjunction with the RSA San Francisco 2013 Conference and sponsored by the Cloud Security Alliance and Box – a major provider of cloud services – recently featured some of the contributors to the Global Privacy & Security Law treatise, Jean-Francois Henrotte (Philippe & Partners, Belgium), Frederic Forster (Alain Bensoussan Avocats, Paris), Raffaele Zallone (Studio Zallone, Italy) and Francoise Gilbert (IT Law Group, USA). The program presented a discussion of the US and foreign laws that regulate government access to cloud data. (more…)

Francoise Gilbert

In its Opinion 05/2012 on Cloud Computing published as document WP 196 in early July 2012, the Article 29 Working Party identifies the data protection risks that are likely to result from the use of cloud computing services, such as the lack of control over personal data and lack of information about how, where and by whom the data are being processed or sub-processed in the cloud.  It expressly deems the Safe Harbor regime insufficient to meet the requirements of the national data protection laws.

(more…)

Francoise Gilbert

How to build cloud applications that anticipate your customers’ legal constraints?

To succeed and gain market share, developers of cloud services and cloud-based applications must take into account the compliance needs of their prospective customers. For example, a cloud that offers services to the health profession must anticipate that its customers are required to comply with HIPAA, the HITECH Act, and the applicable medical information state laws. If it fails to do so, it will not be able to sign-up customers. Similarly, a cloud that uses servers that are located throughout the world must be sensitive to the fact that foreign data protection laws will apply, and that these laws have stringent requirements that differ from those in effect in the United States. If you fail to address these obstacles, your potential customers will take their business elsewhere.

(more…)

Francoise Gilbert

Top ten list of issues presented by Francoise Gilbert as part of her Conference Chair address, at the PLI Privacy & Security Conference in San Francisco, May 23-24, 2011.

(more…)

Francoise Gilbert

In a cloud computing environment, data and applications are hosted “in the cloud.” What that cloud is made of, and where its components are located, matters. However, ask a cloud service vendor where your data will be stored or processed, the typical answers will likely range from “well… hum … in the cloud” to “we have servers everywhere, data moves around constantly” or “we cannot tell you for security reasons.”

Francoise Gilbert

Cloud service relationships are very complex. Numerous important issues are at stake. In many cases, the use of cloud services may jeopardize an entity’s ability to comply with the numerous laws to which it is subject. In addition, even if there are no specific legal compliance requirements, sensitive data and significant intangible assets might be at risk. Thus, before venturing in the cloud, it is of utmost importance for an entity to understand the scope and limitations of the service that it will receive, and the terms under which these services will be provided.

In part 1 of this article we discussed the preliminary planning and due diligence involved with choosing a cloud service provider.

In this part 2, we review critical steps for developing, maintaining and terminating cloud computing contracts. (more…)

Francoise Gilbert

The characteristics of cloud computing — on-demand self-service, elasticity, metered service or ubiquitous access — make it look like a simple and casual operation. Easy to get in, easy to get out, easy to augment, and easy to shrink; Just pay with your credit card. Attractive pricing structures are often justified by presenting cloud solutions as a “one-size-fits-all” product where standardization is key to reduced cost.

(more…)